Open in app

Sign in

Write

Sign in

Home

Library

Stories

Stats

Threat Actor Report | Cyber ​​​​Operations Alliance (C.O.A)

Kossiso Royce

--

The Cyber Operations Alliance (C.O.A) is a cyber threat group formed in response to the October 7th attack in Israel. Led by Mas Rizkul of GARNESIA TEAM, the C.O.A comprises 11 hacking groups (as of March 2, 2024).

  • TEAM GARNESIA
  • GARUDA FROM CYBER
  • LulzSec Indonesia
  • Garuda Cyber Operations
  • From Lammer to Mastah
  • Ketapang Gray Hat
  • StarsX Cyber ​​Team
  • Islam Cyber ​​Team
  • Moroccan Black Cyber ​​Army
  • Hacktivist Jatim

Driven by political motivations, anti-Zionism, and the desire to disrupt the Middle East, the C.O.A primarily targets Israeli businesses and government services. Their tactics include Distributed Denial-of-Service (DDoS) attacks, phishing, and brute-force attacks.

While skilled, the C.O.A appears to be a loosely coordinated group still developing its social engineering and target infiltration capabilities. They lack the resources for complex attacks.

II. Threat Actor Profile

  • Background: Formed after the October 7th attack in Israel.
  • Name(s) and aliases: Cyber Operations Alliance (C.O.A)
  • Geographic Locations: Primarily Indonesia, with some activity traced to India.
  • Skill Level: Sophisticated (capable of high-volume DDoS attacks)
  • Web Base: Telegram: [https://t.me/Coa_Agency](https://t.me/Coa_Agency)

History of Activity

Attack Types:

DDoS (Ping of Death, botnet, UDP Flood), Trojan (Coyote — Delphi malware), SSL Cracking, UAC Exploit, and Access Jacking.

Targets

Launched DDoS attacks against Israeli websites: neaman.org.il, catholic.co.il, avidichter.co.il, modoc.co.il, rtprint.co.il, wildlife-hospital.org.il, and juran.co.il.

Launched attacks against cnes.fr (Trojan — Coyote), nndc.bnl.gov (SSL Cracking), and www-nds.iaea.org (UAC Exploit and Access Jacking).

For more history, see: [https://t.me/Coa_Agency](https://t.me/Coa_Agency)

Motivations:

  • Political Disruption in the Middle East
  • Anti-Zionism
  • Potential for Data Theft and Critical Infrastructure Takedown (unverified)

III. Tactics, Techniques, and Procedures (TTPs)

  • Initial Access Methods: DDoS, Zero-day exploits, Spoofing, Brute-force attacks, XSS Cross-site scripting.
  • Persistence Techniques: Maintaining access to compromised systems.
  • Data Exfiltration Techniques: Download, dump, and acquire administrative privileges.

IV. Targets

The C.O.A exhibits opportunistic targeting, striking businesses, critical infrastructure, and telecommunication sectors.

V. Impact

The C.O.A has caused moderate disruption to services in Indonesia. The extent of their impact on Israeli targets is still under evaluation.

VI. Indicators of Compromise (IOCs)

Currently unavailable.

VII. Detection and Mitigation Strategies

  • Implement user awareness training to identify phishing attempts.
  • Enforce strong password policies.
  • Patch vulnerabilities promptly.
  • Deploy Endpoint Detection and Response (EDR) solutions.
  • Utilise Security Information and Event Management (SIEM) systems.

VIII. Conclusion

The C.O.A is a developing threat actor with growth potential. Their reliance on DDoS attacks suggests a focus on disruption over high-level espionage. Continuous monitoring and improved defences are crucial to mitigate their attacks.

Recommendations for further investigation or mitigation efforts:

  • Investigate potential links between the C.O.A and the October 7th attack on Israel.
  • Track the C.O.A.’s evolution, mainly their development of social engineering and infiltration techniques.
  • Share IOCs with the security community once identified.
Cybersecurity
Threat Intelligence
Cyberattack
Information Security
Intelligence

--

--

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams